Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Silently drop PDUs we fail to parse from federation, instead of failing entire transaction #17893

Open
wants to merge 16 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/17893.doc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a bug where all messages from a server could be blocked because of one bad event. Contributed by @morguldir
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there more context for the issue you ran into specifically? Some issue that should be linked?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think there's an issue for it, but basically unless the room is v11, the version key is actually unprotected. Unfortunately there was no cs api protection for redacting the create event in conduwuit, so a silly bot creator accidentally redacted everything in the room, making that particular room version fall back to "1" like the spec says

Once i finally returned 200 OK, all the pdus and edus that had been failing started to trickle in again at last

I think matrix.org was also in the room at the time, so it's similarly affected

Copy link
Contributor

@MadLittleMods MadLittleMods Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume you're talking about the behavior described here:

Room Version 11

[New in this version] [...] The m.room.create event now keeps the entire content property.

-- https://spec.matrix.org/v1.12/rooms/v11/#redactions

And the m.room.create event defines the content.room_version.

For my own reference, this was added in MSC2176 and included in room version 11 via MSC3820.


I see how this PR allows valid events from a transaction to be received while ignoring invalid ones.

In the scenario where a room falls back to a v1 room, does the room_version we have stored in Synapse get updated?

If the room_version doesn't get updated, this just makes sure that the server can receive the final "valid" events in the room before it broke (people started sending v1 events). Is there an issue tracking whether Synapse should update the room_version after the m.room.create redaction?

If the room_version does get updated to v1, then events are only accepted according to the order received (before/after receiving the redaction forcing the fallback).

Perhaps we should have a test for this scenario?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately there was no cs api protection for redacting the create event

Does this exist in Synapse somewhere already?

Copy link
Contributor Author

@morguldir morguldir Nov 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cs api errors with

if original_event.type == EventTypes.Create:
raise AuthError(403, "Redacting create events is not permitted")

i tried to send a redaction from construct (conduwuit would update the room version and fail to send the redaction as well), when it was a partial state room it seemed to error somewhat, but for a normal room it didn't seem like anything happened, the event didn't show in my timeline, but it was persisted on disk without errors.

I did an initial sync too, and the create event was still there, so i assume it just gets ignored? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the scenario where a room falls back to a v1 room, does the room_version we have stored in Synapse get updated?

Also to be clear, the scenario is mostly on the conduwuit side in this case

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there more context for the issue you ran into specifically? Some issue that should be linked?

Seeing the sytest failure now there actually is an for it already, matrix-org/synapse#7543 / #7543

https://github.com/matrix-org/sytest/blob/9bff8eba1bdbdcdfcdbf8277c1515e07e356e37b/tests/50federation/51transactions.pl#L50-L58

Copy link
Contributor

@MadLittleMods MadLittleMods Nov 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find! I've linked the issues in the PR description at the top

The Sytest says this:

# Room version 6 states that homeservers should strictly enforce canonical JSON
# on PDUs. Test that a transaction to `send` with a PDU that has bad data will
# be handled properly.
#
# This enforces that the entire transaction is rejected if a single bad PDU is
# sent. It is unclear if this is the correct behavior or not.
#
# See https://github.com/matrix-org/synapse/issues/7543

I feel like given the nature of how PUT /_matrix/federation/v1/send/{txnId} is spec'ed, it makes sense that some PDU's can fail to process while others succeed. The response is literally a map of events to any potential errors when processing that specific event.

Since the Sytest test also says "It is unclear if this is the correct behavior or not.", my interpretation could be correct. Probably should get a few more eyeballs here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@morguldir I had this on the To-Discuss for the weekly meeting today but we ran out of time to discuss. This is the first thing on the board to discuss next week though 🤞

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks for the reviews so far 🙏

MadLittleMods marked this conversation as resolved.
Show resolved Hide resolved
47 changes: 42 additions & 5 deletions synapse/federation/federation_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,11 @@
SynapseError,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@morguldir Are you up for adding a test for this? Probably something in tests/federation/test_federation_server.py, make a request like this and then assert that the other PDU's in the transaction besides the corrupted one were persisted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is b6b5d81 what you had in mind? See also matrix-org/complement#743

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, I completely missed your Complement test in my initial review. The Synapse test is looking good 👍

UnsupportedRoomVersionError,
)
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion
from synapse.api.room_versions import (
KNOWN_ROOM_VERSIONS,
EventFormatVersions,
RoomVersion,
)
from synapse.crypto.event_signing import compute_event_signature
from synapse.events import EventBase
from synapse.events.snapshot import EventContext
Expand Down Expand Up @@ -129,6 +133,8 @@
# federation.
_INBOUND_EVENT_HANDLING_LOCK_NAME = "federation_inbound_pdu"

_UNKNOWN_EVENT_ID = "<Unknown>"


class FederationServer(FederationBase):
def __init__(self, hs: "HomeServer"):
Expand Down Expand Up @@ -432,6 +438,8 @@ async def _handle_pdus_in_txn(

newest_pdu_ts = 0

pdu_results = {}

for p in transaction.pdus:
# FIXME (richardv): I don't think this works:
# https://github.com/matrix-org/synapse/issues/8429
Expand All @@ -446,7 +454,7 @@ async def _handle_pdus_in_txn(
# We try and pull out an event ID so that if later checks fail we
# can log something sensible. We don't mandate an event ID here in
# case future event formats get rid of the key.
possible_event_id = p.get("event_id", "<Unknown>")
possible_event_id = p.get("event_id", _UNKNOWN_EVENT_ID)

# Now we get the room ID so that we can check that we know the
# version of the room.
Expand All @@ -469,14 +477,43 @@ async def _handle_pdus_in_txn(
logger.info("Ignoring PDU: %s", e)
continue

event = event_from_pdu_json(p, room_version)
# An event should only have an event_id at this point if it's for a v1/v2 like room.
# In future room versions, the `event_id` is derived from the event canonical JSON.
#
# So if we see a `event_id` but the room version doesn't support
# v1/v2 events, then it's invalid and we should reject it.
if possible_event_id != _UNKNOWN_EVENT_ID:
if room_version.event_format != EventFormatVersions.ROOM_V1_V2:
logger.info(
f"Rejecting event {possible_event_id} from {origin} "
f"because the event was made for a v1 room, "
f"while {room_id} is a v{room_version.identifier} room"
)
pdu_results[possible_event_id] = {
"error": "Event ID should not be supplied in non-v1/v2 room"
}
continue
MadLittleMods marked this conversation as resolved.
Show resolved Hide resolved

try:
event = event_from_pdu_json(p, room_version)
except Exception as e:
# We can only provide feedback to the federating server if we can determine what the event_id is
# but since we we failed to parse the event, we can't derive the `event_id` so there is nothing
morguldir marked this conversation as resolved.
Show resolved Hide resolved
# to use as the `pdu_results` key. Best we can do is just log for our own record and move on.
if possible_event_id != _UNKNOWN_EVENT_ID:
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
pdu_results[possible_event_id] = {
"error": f"Failed to convert json into event, {e}"
morguldir marked this conversation as resolved.
Show resolved Hide resolved
}
logger.warning(
"Failed to parse event {possible_event_id} in transaction from {origin}, due to {e}"
)
continue

pdus_by_room.setdefault(room_id, []).append(event)

if event.origin_server_ts > newest_pdu_ts:
newest_pdu_ts = event.origin_server_ts

pdu_results = {}

# we can process different rooms in parallel (which is useful if they
# require callouts to other servers to fetch missing events), but
# impose a limit to avoid going too crazy with ram/cpu.
Expand Down
53 changes: 52 additions & 1 deletion tests/federation/test_federation_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@

from twisted.test.proto_helpers import MemoryReactor

from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
from synapse.api.constants import EventTypes
from synapse.api.errors import NotFoundError
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
from synapse.config.server import DEFAULT_ROOM_VERSION
from synapse.events import EventBase, make_event_from_dict
from synapse.rest import admin
Expand Down Expand Up @@ -84,6 +86,55 @@ async def failing_handler(_origin: str, _content: JsonDict) -> None:
)
self.assertEqual(500, channel.code, channel.result)

def test_accept_valid_pdus_and_ignore_invalid(self) -> None:
morguldir marked this conversation as resolved.
Show resolved Hide resolved
user = self.register_user("nex", "test")
tok = self.login("nex", "test")
room_id = self.helper.create_room_as("nex", tok=tok)
morguldir marked this conversation as resolved.
Show resolved Hide resolved

builder = self.hs.get_event_builder_factory().for_room_version(
MadLittleMods marked this conversation as resolved.
Show resolved Hide resolved
RoomVersions.V10,
{
"type": EventTypes.Message,
"sender": user,
"room_id": room_id,
"content": {"body": "hello i am nexy", "msgtype": "m.text"},
morguldir marked this conversation as resolved.
Show resolved Hide resolved
},
)
event1, _ = self.get_success(
self.hs.get_event_creation_handler().create_new_client_event(builder)
)
event2, _ = self.get_success(
self.hs.get_event_creation_handler().create_new_client_event(
builder, prev_event_ids=[event1.event_id]
)
)

event1_json = event1.get_pdu_json()
event2_json = event2.get_pdu_json()
morguldir marked this conversation as resolved.
Show resolved Hide resolved

logging.info("Purposefully adding event id that shouldn't be there")
MadLittleMods marked this conversation as resolved.
Show resolved Hide resolved
event2_json["event_id"] = event2.event_id

channel = self.make_signed_federation_request(
"PUT",
"/_matrix/federation/v1/send/txn",
{"pdus": [event1_json, event2_json]},
)
body = channel.json_body
logging.info(f"Response body: {body}")
morguldir marked this conversation as resolved.
Show resolved Hide resolved
self.assertTrue(body["pdus"][event1.event_id] == {})
self.assertTrue(body["pdus"][event2.event_id]["error"] != "")
morguldir marked this conversation as resolved.
Show resolved Hide resolved
result = self.get_success(
self.hs.get_storage_controllers().main.get_event(event1.event_id)
)
self.assertEqual(result.event_id, event1.event_id)
MadLittleMods marked this conversation as resolved.
Show resolved Hide resolved

# Make sure the corrupt event isn't persisted
self.get_failure(
self.hs.get_storage_controllers().main.get_event(event2.event_id),
NotFoundError,
)


class ServerACLsTestCase(unittest.TestCase):
def test_blocked_server(self) -> None:
Expand Down
Loading